SAML 2.0请求AD FS

时间:2015-04-09 11:41:53

标签: saml-2.0 adfs adfs2.0

我正在从HTML表单向ADFS提交SAMLRequest。发送请求后,我收到了一个要求输入用户名和密码的表单。当我提供有效的用户名和密码并提交表单时,它会提示我以下错误:

There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and 
provide the reference number to identify the problem.
**Reference number**: 5881826a-80a1-4e00-8baa-c477c2348ef1

这是SAMLRequest:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
  AssertionConsumerServiceURL="http://www.someurl.com"
  ForceAuthn="false" IsPassive="false"
  IssueInstant="2015-04-09T11:17:43.273Z"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.abc.com/adfs</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces PrefixList="ds saml samlp" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>eOh4k4OqoVnNCoCMpKTgqILoLGw=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
IvxweY9qkKKy5FrhHn08S2Q0KFeBR26t7N5/nbUXJEyVRpK8UopEnYT361pq5udgTaw3OMpoTIGg
bNLzSVYu91q12XOPTXyyx2UP6yfDq3lgD+5w71t6ziNTXgQuFhr8a2G97p83xOLF5f3l8MrGSjpL
Y7tVBKESAGw+klqVjotM1p5QvB51YVhNkvAy5Fw2jvZVTmjahRg/4wjDplbU1rdHiZ4mumyh5NZT
BwNCx/003ba7jaKEjTze0UG1wb4qtI63P1/7hqWVLGHrArG46Q2qPpiwBNCOpxOlgXOeU/mfOjQG
hMcDv5+3AllzdlrPoQE90WItScPG4yzu8eiYSQ==
</ds:SignatureValue>
  </ds:Signature>
  <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

这是我从ADFS事件日志中获得的堆栈跟踪:

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          4/7/2015 10:36:41 AM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          LTI\sa-adfs
    Computer:      SOMESERVER.ADMIN.LES.LOCAL
    Description:
    Encountered error during federation passive request. 

    Additional Data 

    Exception details: 
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
    --- End of inner exception stack trace ---
    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

    System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}"   />
    <EventID>364</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2015-04-07T14:36:41.375618200Z" />
    <EventRecordID>7999</EventRecordID>
    <Correlation ActivityID="{4501AAAF-E56D-4553-A6C9-27AC5190A0EA}" />
    <Execution ProcessID="4956" ThreadID="2756" />
    <Channel>AD FS 2.0/Admin</Channel>
    <Computer>250ADFS1.ADMIN.LES.LOCAL</Computer>
    <Security UserID="S-1-5-21-2101114347-22087826-926709054-84784" /> 
     </System>
   <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <Data>Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---&gt; System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

由于SAMLRequest中缺少某些内容而导致此错误,或者是ADFS端问题。如何追踪此问题以及可能导致此错误的原因。

1 个答案:

答案 0 :(得分:0)

一个可能的原因是请求是要求Transient NameId。您可以检查信赖方信任该SP是否具有NameId声明规则,以发出正确的规则,如http://blog.auth360.net/2012/09/02/adfs-as-an-identity-provider-and-saml-2-0-saas-application-integration/

中所述
相关问题
最新问题